Abstract

This document specifies a process for encrypting data and
representing the result in XML. The data may be in a variety
of formats, including octet streams and other unstructured
data, or structured data formats such as XML documents, an
XML element, or XML element content. The result of
encrypting data is an XML Encryption element that contains or
references the cipher data.

Status of This Document

This section describes the status of this document at the time of its publication. Other
documents may supersede this document. A list of current W3C publications and the latest revision
of this technical report can be found in the W3C technical reports
index at http://www.w3.org/TR/.

This document has been reviewed by W3C Members, by software developers, and by other W3C groups and interested parties, and is endorsed by the Director as a W3C Recommendation. It is a stable document and may be used as reference material or cited from another document. W3C's role in making the Recommendation is to draw attention to the specification and to promote its widespread deployment. This enhances the functionality and interoperability of the Web.

1. Introduction

This document specifies a process for encrypting data and
representing the
result in XML. The data may be arbitrary data (including an XML
document), an
XML element, or XML element content. The result of encrypting
data is an XML
Encryption EncryptedData element that contains (via
one of its
children's content) or identifies (via a URI reference) the
cipher data.

When encrypting an XML element or element content the
EncryptedData element replaces the element or content
(respectively) in the encrypted version of the XML document.

When encrypting arbitrary data (including entire XML documents), the
EncryptedData element may become the root of a new
XML document
or become a child element in an application-chosen XML document.

1.1 Editorial and Conformance Conventions

This specification uses XML schemas [XMLSCHEMA-1],
[XMLSCHEMA-2] to describe the content model.
The full normative grammar is defined by the XSD schema
and the normative text in this specification. The standalone XSD
schema file is authoritative in case there is any disagreement between
it and the XSD schema portions.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
specification are to be interpreted as described in [RFC2119]:

"They MUST only be used where it is actually required for
interoperation
or to limit behavior which has potential for causing harm
(e.g., limiting
retransmissions)"

Consequently, we use these capitalized keywords to
unambiguously specify
requirements over protocol and application features and
behavior that affect
the interoperability and security of implementations. These
key words are not
used (capitalized) to describe XML grammar; schema definitions
unambiguously
describe such requirements and we wish to reserve the
prominence of these
terms for the natural language descriptions of protocols and
features. For
instance, an XML attribute might be described as being
"optional". Compliance
with the XML-namespace specification [XML-NAMES] is
described as "REQUIRED".

1.3 Versions, Namespaces, URIs, and Identifiers

This specification makes use of XML namespaces, and uses Uniform
Resource Identifiers [URI] to identify resources, algorithms, and
semantics.

Implementations of this specification MUST use the following XML
namespace URIs:

URI

namespace prefix

XML internal entity

http://www.w3.org/2001/04/xmlenc#

default namespace,
xenc:

<!ENTITY xenc "http://www.w3.org/2001/04/xmlenc#">

http://www.w3.org/2009/xmlenc11#

xenc11:

<!ENTITY xenc11 "http://www.w3.org/2009/xmlenc11#">

The http://www.w3.org/2001/04/xmlenc#
(xenc:) namespace was
introduced in version 1.0 of this specification. The present
version does not coin any new
elements or algorithm identifiers in that namespace; instead, the
http://www.w3.org/2009/xmlenc11# (xenc11:)
namespace
is used.

No provision is made for an explicit version number in this
syntax. If a future version of
this specification requires explicit versioning of the
document format, a different namespace will
be used.

Additionally, this specification uses elements and
algorithm identifiers from the XML Signature name spaces
[XMLDSIG-CORE1]:

Additionally, we thank the following for their comments
during and subsequent to the Last Call of the original
Recommendation:
Martin Dürst, W3C, Dan Lanz, Zolera, Susan Lesch, W3C,
David Orchard, BEA Systems, Ronald
Rivest, MIT.

The working group also acknowledges the contribution of Juraj
Somorovsky raising the issue of the CBC chosen ciphertext attack
and contributions to revising the security considerations of XML
Encryption 1.1.

Expressed in shorthand form, the EncryptedData element has the following
structure (where "?" denotes zero or one occurrence; "+" denotes one or more
occurrences; "*" denotes zero or more occurrences; "|" denotes a choice; and the empty element tag
means the element must be empty ):

The CipherData element envelopes or references the raw
encrypted data. A CipherData element must have either a CipherValue or CipherReference child element. If enveloping, the raw encrypted data is the
CipherValue element's content; if referencing, the
CipherReference element's URI attribute points to
the location of the raw encrypted data

2.1 Encryption Granularity

This section is non-normative.

Note: Examples in this document do not consider plaintext guessing
attacks or other risks, and are only for illustrative purposes.

Consider the following fictitious payment information, which includes
identification information and information appropriate to a payment method
(e.g., credit card, money transfer, or electronic
check):

By encrypting the entire CreditCard element from its start to
end tags, the identity of the element itself is hidden. (An eavesdropper
doesn't know whether he used a credit card or money transfer.) The
CipherData element contains the encrypted serialization of the
CreditCard element.

2.1.2 Encrypting XML Element Content (Elements)

As an alternative scenario, it may be useful for intermediate agents to
know that John used a credit card with a particular limit, but not the card's
number, issuer, and expiration date. In this case, the content (character
data or children elements) of the CreditCard element can be
encrypted:

Where appropriate, such as in the case of encrypting an entire EXI
stream, the Type attribute SHOULD be provided
and indicate the use of EXI. The optional MimeType MAY be used to
record the actual (non-EXI-encoded) type, but is not necessary and may
be omitted, as in the following EXI encryption example:

2.1.5 Super-Encryption: Encrypting EncryptedData

An XML document may contain zero or more EncryptedData
elements. EncryptedData cannot be the parent or child of another
EncryptedData element. However, the actual data encrypted can be
anything, including EncryptedData and EncryptedKey
elements (i.e., super-encryption). During super-encryption of an
EncryptedData or EncryptedKey element, one must
encrypt the entire element. Encrypting only the content of these elements, or
encrypting selected child elements is an invalid instance under the provided
schema.

[s1] The type of data encrypted may be represented as an
attribute value to aid in decryption and subsequent processing. In this case,
the data encrypted was an 'element'. Other alternatives include 'content' of
an element, or an external octet sequence which can also be identified via
the MimeType and Encoding attributes.

[s2] This (3DES CBC) is a symmetric key cipher.

[s4] The symmetric key has an associated name "John
Smith".

[s6]CipherData contains a
CipherValue, which is a base64 encoded octet sequence.
Alternately, it could contain a CipherReference, which is a URI
reference along with transforms necessary to obtain the encrypted data as an
octet sequence

[t09] The EncryptedKey element is similar to the
EncryptedData element except that the data encrypted is always a
key value.

[t10] The EncryptionMethod is the RSA public key
algorithm.

[t12]ds:KeyName of "John Smith" is a property
of the key necessary for decrypting (using RSA) the
CipherData.

[t14] The CipherData's CipherValue
is an octet sequence that is processed (serialized, encrypted, and encoded)
by a referring encrypted object's EncryptionMethod. (Note, an
EncryptedKey's EncryptionMethod is the algorithm used to encrypt
these octets and does not speak about what type of octets they are.)

[t15-17] A ReferenceList identifies the
encrypted objects (DataReference and KeyReference)
encrypted with this key. The ReferenceList contains a list of
references to data encrypted by the symmetric key carried within this
structure.

[t18] The CarriedKeyName element is used to
identify the encrypted key value which may be referenced by the
KeyName element in ds:KeyInfo. (Since ID attribute
values must be unique to a document,CarriedKeyName can indicate
that several EncryptedKey structures contain the same key value
encrypted for different recipients.)

3. Encryption Syntax

This section provides a detailed description of the syntax and features
for XML Encryption. Features described in this section MUST be implemented
unless otherwise noted. The syntax is defined via [XMLSCHEMA-1], [XMLSCHEMA-2] with the following XML preamble,
declaration, internal entity, and import:

(Note: A newline has been added to the schemaLocation URI to fit on this page, but is not part of the URI.)

3.1 The EncryptedType Element

EncryptedType is the abstract type from which
EncryptedData and EncryptedKey are derived. While
these two latter element types are very similar with respect to their content
models, a syntactical distinction is useful to processing. Implementations
MUST generate laxly schema valid [XMLSCHEMA-1], [XMLSCHEMA-2]
EncryptedData or EncryptedKey elements as specified by the
subsequent schema declarations. (Note the laxly schema valid generation means
that the content permitted by xsd:ANY need not be valid.)
Implementations SHOULD create these XML structures
(EncryptedType elements and their descendants/content) in
Normalization Form C [NFC].

EncryptionMethod is an optional element that describes the
encryption algorithm applied to the cipher data. If the element is absent,
the encryption algorithm must be known by the recipient or the decryption
will fail.

ds:KeyInfo is an optional element, defined by [XMLDSIG-CORE1], that carries information about the key
used to encrypt the data. Subsequent sections of this specification define
new elements that may appear as children of ds:KeyInfo.

CipherData is a mandatory element that contains the
CipherValue or CipherReference with the encrypted
data.

Id is an optional attribute providing for the standard method
of assigning a string id to the element within the document context.

Type is an optional attribute identifying type information
about the plaintext form of the encrypted content. While optional, this
specification takes advantage of it for processing described in section 4.4 Decryption. If the EncryptedData element
contains data of Type 'element' or element 'content', and
replaces that data in an XML document context, or contains data of
Type 'EXI', it is strongly recommended the
Type attribute be provided. Without this information, the
decryptor will be unable to automatically restore the XML document to its
original cleartext form.

MimeType is an optional (advisory) attribute which describes
the media type of the data which has been encrypted. The value of this
attribute is a string with values defined by [RFC2045].
For example, if the data that is encrypted is a base64 encoded PNG, the
transfer Encoding may be specified as 'http://www.w3.org/2000/09/xmldsig#base64'
and the MimeType as 'image/png'. This attribute is purely
advisory; no validation of the MimeType information is required
and it does not indicate the encryption application must do any additional
processing. Note, this information may not be necessary if it is already
bound to the identifier in the Type attribute. For example, the
Element and Content types defined in this specification are always UTF-8
encoded text.
In the case of Type EXI the MimeType attribute is not necessary, but
if used should reflect the underlying type and not "EXI".

Encoding is an optional (advisory) attribute which describes
the transfer encoding of the data that has been encrypted.

3.2 The EncryptionMethod Element

EncryptionMethod is an optional element that describes the encryption
algorithm applied to the cipher data. If the element is absent, the
encryption algorithm must be known to the recipient or the decryption will
fail.

The permitted child elements of the EncryptionMethod are
determined by the specific value of the Algorithm attribute URI,
and the KeySize child element is always permitted. For example,
the RSA-OAEP algorithm (section 5.5.2 RSA-OAEP) uses the
ds:DigestMethod and OAEPparams elements, and
may use the xenc11:MGF element when needed. (We rely
upon the ANY schema construct because it is not possible to
specify element content based on the value of an attribute.)

The presence of any child element under EncryptionMethod
that is not permitted by the algorithm or the presence of a
KeySize child inconsistent with the algorithm MUST be treated as
an error. (All algorithm URIs specified in this document imply a key size but
this is not true in general. Most popular stream cipher algorithms take
variable size keys.)

3.3 The CipherData Element

The CipherData is a mandatory element that provides the
encrypted data. It must either contain the encrypted octet sequence as base64
encoded text as element content of the CipherValue element, or provide a reference
to an external location containing the encrypted octet sequence via the
CipherReference element.

3.3.1 The CipherReference Element

If CipherValue is not supplied directly, the
CipherReference identifies a source which, when processed,
yields the encrypted octet sequence.

The actual value is obtained as follows. The CipherReferenceURI contains an identifier that is dereferenced. Should the
CipherReference element contain an OPTIONAL sequence of
Transforms, the data resulting from dereferencing the URI is
transformed as specified so as to yield the intended cipher value. For
example, if the value is base64 encoded within an XML document; the
transforms could specify an XPath expression followed by a base64 decoding so
as to extract the octets.

The syntax of the URI and Transforms is defined in XML Signature
[XMLDSIG-CORE1], however XML Encryption places
the Transforms element in the XML Encryption namespace
since it is
used in XML Encryption to obtain an octet stream for decryption.
In [XMLDSIG-CORE1] both generation and validation processing
start with the same source data and perform that transform in the same order.
In encryption, the decryptor has only the cipher data and the specified
transforms are enumerated for the decryptor, in the order necessary to obtain
the octets. Consequently, because it has different semantics
Transforms is in the xenc: namespace.

For example, if the relevant cipher value is captured
within a
CipherValue element within a different XML
document, the
CipherReference might look as follows:

Implementations MUST support the CipherReference feature and
the same URI encoding, dereferencing, scheme, and HTTP response codes as that
of [XMLDSIG-CORE1]. The Transform feature
and particular transform algorithms are OPTIONAL.

3.4 The EncryptedData Element

The EncryptedData element is the core element
in the syntax.
Not only does its CipherData child contain the
encrypted data,
but it's also the element that replaces the encrypted element, or
element content, or serves as
the new document root.

3.5 Extensions to ds:KeyInfo Element

There are three ways that the keying material needed to decrypt
CipherData can be provided:

The EncryptedData or EncryptedKey element
specify the associated keying material via a child of
ds:KeyInfo. All of the child elements of
ds:KeyInfo specified in [XMLDSIG-CORE1] MAY be used as qualified:

Support for ds:KeyValue is OPTIONAL and may
be used to transport public keys, such as Diffie-Hellman Key
Values (section 5.6.1 Diffie-Hellman Key
Values).
(Including the plaintext decryption key, whether a private key or a
secret key, is obviously NOT RECOMMENDED.)

Support of ds:KeyName to refer to an
EncryptedKeyCarriedKeyName is
RECOMMENDED.

A detached (not inside ds:KeyInfo)
EncryptedKey element can specify the
EncryptedData or EncryptedKey to which its
decrypted key will apply via a DataReference or
KeyReference (
section 3.6 The ReferenceList Element).

The keying material can be determined by the recipient by application
context and thus need not be explicitly mentioned in the transmitted
XML.

3.5.1 The EncryptedKey Element

(This can be used within a ds:RetrievalMethod element
to identify the referent's type.)

The EncryptedKey element is used to transport encryption keys
from the originator to a known recipient(s). It may be used as a stand-alone
XML document, be placed within an application document, or appear inside an
EncryptedData element as a child of a ds:KeyInfo
element. The key value is always encrypted to the recipient(s). When
EncryptedKey is decrypted the resulting octets are made
available to the EncryptionMethod algorithm without any
additional processing.

ReferenceList is an optional element containing pointers to
data and keys encrypted using this key. The reference list may contain
multiple references to EncryptedKey and
EncryptedData elements. This is done using
KeyReference and DataReference elements
respectively. These are defined below.

CarriedKeyName is an optional element for associating a user
readable name with the key value. This may then be used to reference the key
using the ds:KeyName element within ds:KeyInfo. The
same CarriedKeyName label, unlike an ID type, may occur multiple
times within a single document. The value of the key MUST be the same in all
EncryptedKey elements identified with the same
CarriedKeyName label within a single XML document. Note that
because whitespace is significant in the value of the ds:KeyName
element, whitespace is also significant in the value of the
CarriedKeyName element.

Recipient is an optional attribute that contains a hint as to
which recipient this encrypted key value is intended for. Its contents are
application dependent.

The Type attribute inherited from EncryptedType
can be used to further specify the type of the encrypted key if the
EncryptionMethodAlgorithm does not define a
unambiguous encoding/representation. (Note, all the algorithms in this
specification have an unambiguous representation for their associated key
structures.)

3.5.2 The DerivedKey Element

(This can be used within a ds:RetrievalMethod element
to identify the referent's type.)

The DerivedKey element is used to transport information
about a derived key from the originator to recipient(s). It may be
used as a stand-alone XML document, be placed within an application
document, or appear inside an EncryptedData or
Signature element as a child of a ds:KeyInfo
element. The key value itself is never sent by the
originator. Rather, the originator provides information to the
recipient(s) by which the recipient(s) can derive the same key
value. When the key has been derived the resulting octets are made
available to the EncryptionMethod or
SignatureMethod algorithm without any additional
processing.

KeyDerivationMethod is an optional element that describes
the key derivation algorithm applied to the master (underlying)
key material. If the element is absent, the key derivation algorithm must
be known by the recipient or the recipient's key derivation will fail.

ReferenceList is an optional element containing pointers
to data and keys encrypted using this key. The reference list may
contain multiple references to EncryptedKey or
EncryptedData elements. This is done using
KeyReference and DataReference elements
from XML Encryption.

The optional DerivedKeyName element is used to identify
the derived key value. This element may then be referenced by the
ds:KeyName element in ds:KeyInfo. The
same DerivedKeyName label, unlike an ID type, may occur
multiple times within a single document. Note that because whitespace
is significant in the value of the ds:KeyName element,
whitespace is also significant in the value of the
DerivedKeyName element.

MasterKeyName is an optional element for associating a
user readable name with the master key (or secret) value. The
same MasterKeyName label, unlike an ID type, may occur
multiple times within a single document. The value of the master
key MUST be the same in all DerivedKey elements
identified with the same MasterKeyName label within a
single XML document. If no MasterKeyName is provided, the
master key material must be known by the recipient or key
derivation will fail.

Recipient is an optional attribute that contains a hint
as to which recipient this derived key value is intended for. Its
contents are application dependent.

The optional Id attribute provides for the standard
method of assigning a string id to the element within the document
context.

The Type attribute can be used to further specify the
type of the derived key if the KeyDerivationMethod
algorithm does not define an unambiguous encoding/representation.

3.5.3 The ds:RetrievalMethod Element

The ds:RetrievalMethod[XMLDSIG-CORE1] with a Type of
'http://www.w3.org/2001/04/xmlenc#EncryptedKey' provides a way
to express a link to an EncryptedKey element containing the key
needed to decrypt the CipherData associated with an
EncryptedData or EncryptedKey element. The ds:RetrievalMethod[XMLDSIG-CORE1] with a Type of 'http://www.w3.org/2001/04/xmlenc#DerivedKey' provides a way
to express a link to a DerivedKey element used to derive the key
needed to decrypt the CipherData associated with an
EncryptedData or EncryptedKey element. The
ds:RetrievalMethod with one of these types is always a child of the
ds:KeyInfo element and may appear multiple times. If there is
more than one instance of a ds:RetrievalMethod in a
ds:KeyInfo of this type, then the EncryptedKey
objects referred to must contain the same key value, possibly encrypted in
different ways or for different recipients.

3.6 The ReferenceList Element

ReferenceList is an element that contains pointers from a key
value of an EncryptedKey or DerivedKey to items encrypted by that key value
(EncryptedData or EncryptedKey elements).

DataReference elements are used to refer to
EncryptedData elements that were encrypted using the key defined
in the enclosing EncryptedKey or DerivedKey element. Multiple
DataReference elements can occur if multiple
EncryptedData elements exist that are encrypted by the same
key.

KeyReference elements are used to refer to
EncryptedKey elements that were encrypted using the key defined
in the enclosing EncryptedKey or DerivedKey element. Multiple
KeyReference elements can occur if multiple
EncryptedKey elements exist that are encrypted by the same
key.

For both types of references one may optionally specify child elements to
aid the recipient in retrieving the EncryptedKey and/or
EncryptedData elements. These could include information such as
XPath transforms, decompression transforms, or information on how to retrieve
the elements from a document storage facility. For example:

3.7 The EncryptionProperties Element

(This can be used within a ds:Reference element to
identify the referent's type.)

Additional information items concerning the generation of the
EncryptedData or EncryptedKey can be placed in an
EncryptionProperty element (e.g., date/time stamp or the serial
number of cryptographic hardware used during encryption). The
Target attribute identifies the EncryptedType
structure being described. anyAttribute permits the inclusion of
attributes from the XML namespace to be included (i.e.,
xml:space, xml:lang, and xml:base).

4. Processing Rules

This section describes the operations to be performed as part of
encryption and decryption processing by implementations of this
specification. The conformance requirements are specified over the following
roles:

Encryptor and Decryptor are invoked by the Application. This specification does not include normative definitions for application behavior. However, this specification does include conformance requirements on encrypted data that may only be achievable through appropriate behavior by all three parties. It is up to specific deployment contexts how this is achieved.

4.1 Intended Application Model

The processing rules for XML Encryption are designed around an intended application model that this version of the specification does not cover normatively.

In the intended processing model, XML Encryption is used to encrypt
an octet-stream, an EXI stream, or a fragment of an XML document that
matches either the content or element
production from [XML10].

If XML Encryption is used with some octet-stream, the precise encoding and meaning of that octet-stream is up to the application, but treated as opaque by the Encryptor or Decryptor. The application may use the Type, Encoding and MimeType parameters to transport further information about the nature of that octet-stream. Hence, an unknown Type parameter is, in general, not treated as an error by either the Encryptor or Decryptor, but instead simply passed through, along with the other relevant parameters and the cleartext octet-stream.

If XML Encryption is used with an XML element or XML content, then Encryptors and Decryptors commonly perform type-specific processing:

If an element is encrypted, then the Encryptor
will replace the element in question with an appropriately
constructed EncryptedData element. The Decryptor
will, conversely, replace the EncryptedData element
with its cleartext.

If XML content is encrypted, then the Encryptor will likewise replace this content with an appropriately constructed EncryptedData element, and the Decryptor will reverse this operation.

Note that the intended Encryptor behavior
will often cause the document with encrypted parts to become
invalid with respect to its schema
for
the hosting XML format, unless that format is specifically prepared
to be used with XML Encryption. An Encryptor or Decryptor that
implements the intended processing model is NOT REQUIRED to ensure
that the resulting XML is schema-valid for the hosting XML
format.

If XML processing is handled inside the Encryptor and Decryptor, and the Type attribute values for element and content cleartext are used, then the Encryptor and Decryptor MUST ensure that the XML cleartext is serialized as UTF-8 before encryption, and -- if needed -- converted back to whatever other encoding might be used by the surrounding XML context.

If XML Encryption is used with an EXI stream [EXI], then Encryptors and
Decryptors process content as for XML element or XML content processing, but taking into account EXI serialization. In particular,
the encryptor will replace the XML element or XML fragment in question
with an appropriately constructed EncryptedData element. The Decryptor
will conversely replace the EncryptedData element with its cleartext
XML element or XML fragment. Note that the XML document into which the
EncryptedData element is embedded may be encoded using EXI and/or EXI
may be used to encode the cleartext before encryption.

4.2 Well-known Type parameter values

For interoperability purposes, the following types MUST be implemented
such that an implementation will be able to take as input and yield as output
data matching the production rules 39 and 43 from [XML10]:

Presence of this Type indicates that the cleartext is an EXI stream [EXI]. Encryptors and Decryptors that support this type MAY operate directly on (parts of) EXI streams.

Encryptors and Decryptors SHOULD handle unknown or empty Type attribute values as a signal that the cleartext is to be handled as an opaque octet-stream, whose specific processing is up to the invoking application. In this case, the Type, MimeType and Encoding parameters SHOULD be treated as opaque data whose appropriate processing is up to the application.

4.3 Encryption

The selection of the algorithm, parameters, and encryption keys is out of scope for this specification.

The cleartext data are assumed to be present as an octet stream. If the cleartext is of type element or content, the data MUST be serialized in UTF-8 as specified in [XML10], using Normal Form C [NFC].

For each data item to be encrypted as an EncryptedData or
EncryptedKey element, the encryptorMUST:

Obtain (or derive) and (optionally) represent the key.

If the key is to be identified (via naming, URI, or included in a
child element), construct the ds:KeyInfo as appropriate
(e.g., ds:KeyName, ds:KeyValue,
ds:RetrievalMethod, etc.)

If the key itself is to be encrypted, construct an
EncryptedKey element by recursively applying this
encryption process. The result may then be a child of
ds:KeyInfo, or it may exist elsewhere and may be
identified in the preceding step.

If the key was derived from a master key, construct a
DerivedKey element with associated child
elements. The result may, as in the EncryptedKey
case, be a child of ds:KeyInfo, or it may exist
elsewhere.

Encrypt the data:

Encrypt the octets using the algorithm and key.

Unless the decryptor will implicitly know the type of the
encrypted data, the encryptorSHOULD set the
Type to indicate the intended interpretation of the cleartext
data. See section 4.2 Well-known Type parameter values
for known parameter values.

If the data is a
simple octet sequence it MAY be described with the
MimeType and Encoding attributes. For
example, the data might be an XML document
(MimeType="text/xml"), sequence of characters
(MimeType="text/plain"), or binary image data
(MimeType="image/png").

Build the EncryptedData or
EncryptedKey structure:

An EncryptedData or EncryptedKey structure represents all of the
information previously discussed including the type of the encrypted
data, encryption algorithm, parameters, key, type of the encrypted data,
etc.

If the encrypted octet sequence obtained in step 2 is to be stored
in the CipherData element within the
EncryptedData or EncryptedKey element, then the base64 representation of the encrypted octet sequence is
inserted as the content of a
CipherValue element.

If the encrypted octet sequence is stored externally to the
EncryptedData or EncryptedKey element,
then the URI and transforms (if
any) required for the Decryptor to retrieve the encrypted octet
sequence are described within a
CipherReference element.

4.4 Decryption

For each EncryptedData or EncryptedKey to be decrypted,
the decryptorMUST:

If a CipherValue child element is present, then the
associated text value is retrieved and base64 decoded so as to obtain
the encrypted octet sequence.

If a CipherReference child element is present, the URI
and transforms (if any) are used to retrieve the encrypted octet
sequence.

The encrypted octet sequence is decrypted using the
algorithm, parameters and key value already determined from step 1.

4.5 XML Encryption

Encryption and decryption operations are operations on octets. The
application is responsible for the marshalling XML such that
it can be serialized into an octet sequence, encrypted, decrypted, and be of
use to the recipient.

For example, if the application wishes to canonicalize its data or
encode/compress the data in an XML packaging format, the application needs to
marshal the XML accordingly and identify the resulting type via the
EncryptedDataType attribute. The likelihood of
successful decryption and subsequent processing will be dependent on the
recipient's support for the given type. Also, if the data is intended to be
processed both before encryption and after decryption (e.g., XML Signature
[XMLDSIG-CORE1] validation or an XSLT transform) the
encrypting application must be careful to preserve information necessary for
that process's success.

The following sections contain specifications for decrypting, replacing,
and serializing XML content (i.e., Type 'element' or
element 'content')
using the [XPATH] data model. These sections are
non-normative and OPTIONAL to implementers of this specification, but they
may be normatively referenced by and be required by other specifications that
require a consistent processing for applications, such as [XMLENC-DECRYPT].

4.5.1 A Decrypt
Implementation (Non-normative)

Where P is the context in which the serialized XML should be
parsed (a document node or element node) and O is the octet sequence
representing UTF-8 encoded characters resulting from step 4.3 in section 4.4 Decryption. Y
is node-set representing the decrypted content
obtained by the following steps:

Let C be the parsing context
of a child of P, which consists of the following items:

Prefix and namespace name of each namespace that is in scope for
P.

Name and value of each general entity that is effective for the XML
document causing P.

Include Y in place of e and its descendants in
X. Since [XPATH] does not define
methods of replacing node-sets from different documents, the result
MUST be equivalent to replacing e with the octet stream resulting
from its decryption in the serialized form of X and
re-parsing the document. However, the actual method of performing this
operation is left to the implementor.

4.5.3 Serializing XML (Non-normative)

4.5.3.1 Default Namespace Considerations

In section 4.3 Encryption
(step 3.1), when serializing an XML fragment special
care SHOULD be taken with respect to default namespaces. If the data will be
subsequently decrypted in the context of a parent XML document then
serialization can produce elements in the wrong namespace. Consider the
following fragment of XML:

Decrypting and replacing the EncryptedData within this
document would produce the following incorrect result:

Example 17

<Documentxmlns="http://example.org/"><ToBeEncrypted/></Document>

This problem arises because most XML serializations assume that the
serialized data will be parsed directly in a context where there is no
default namespace declaration. Consequently, they do not redundantly declare
the empty default namespace with an xmlns="". If, however, the
serialized data is parsed in a context where a default namespace declaration
is in scope (e.g., the parsing context as described in section 4.5.1 A Decrypt
Implementation (Non-normative)), then
it may affect the interpretation of the serialized data.

To solve this problem, a canonicalization algorithm MAY be augmented as
follows for use as an XML encryption serializer:

A default namespace declaration with an empty value (i.e.,
xmlns="") SHOULD be emitted where it would normally be
suppressed by the canonicalization algorithm.

While the result may not be in proper canonical form, this is harmless as
the resulting octet stream will not be used directly in a
[XMLDSIG-CORE1] signature value computation.
Returning to the preceding example with our new augmentation, the
ToBeEncrypted element would be serialized as follows:

<ToBeEncrypted xmlns=""></ToBeEncrypted>

When processed in the context of the parent document, this serialized
fragment will be parsed and interpreted correctly.

This augmentation can be retroactively applied to an existing
canonicalization implementation by canonicalizing each apex node and its
descendants from the node set, inserting xmlns="" at the
appropriate points, and concatenating the resulting octet streams.

4.5.3.2 XML Attribute Considerations

Similar attention between the relationship of a fragment and the context
into which it is being inserted should be given to the xml:base,
xml:lang, and xml:space attributes as mentioned in
the Security
Considerations of [XML-EXC-C14N]. For
example, if the element:

Example 18

<Bongohref="example.xml"/>

is taken from a context and serialized with no xml:base [XMLBASE] attribute and parsed in the context of the
element:

Example 19

<Bazxml:base="http://example.org/"/>

the result will be:

Example 20

<Bazxml:base="http://example.org/"><Bongohref="example.xml"/></Baz>

Bongo's href is subsequently interpreted as
"http://example.org/example.xml". If this is not the correct
URI, Bongo should have been serialized with its own
xml:base attribute.

Unfortunately, the recommendation that an empty value be emitted to
divorce the default namespace of the fragment from the context into which it
is being inserted cannot be made for the attributes
xml:base, and xml:space. (Error 41 of the XML 1.0 Second Edition
Specification Errata clarifies that an empty string value of the
attribute xml:langis considered as if, "there is no
language information available, just as if xml:lang had not been
specified".)The interpretation of an empty value for the
xml:base or xml:space attributes is undefined or
maintains the contextual value. Consequently, applications SHOULD ensure (1)
fragments that are to be encrypted are not dependent on XML attributes, or
(2) if they are dependent and the resulting document is intended to be valid [XML10], the fragment's definition permits the presence of
the attributes and that the attributes have non-empty values.

4.5.4 Text Wrapping

This section specifies the process for wrapping text in a given parsing
context. The process is based on the proposal by Richard Tobin [Tobin] for constructing the infoset [XML-INFOSET] of an external entity.

The process consists of the following steps:

If the parsing context contains any general entities, then emit a
document type declaration that provides entity declarations.

Emit a dummy element start-tag with namespace declaration
attributes declaring all the namespaces in the parsing context.

Emit the text.

Emit a dummy element end-tag.

In the above steps, the document type declaration and dummy
element tags MUST be encoded in UTF-8.

5. Algorithms

This section discusses algorithms used with the XML Encryption
specification. Entries contain the identifier to be used as the value of the
Algorithm attribute of the EncryptionMethod element
or other element representing the role of the algorithm, a reference to the
formal specification, definitions for the representation of keys and the
results of cryptographic operations where applicable, and general
applicability comments.

5.1 Algorithm Identifiers and Implementation Requirements

All algorithms listed below have implicit parameters depending on their
role. For example, the data to be encrypted or decrypted, keying material,
and direction of operation (encrypting or decrypting) for encryption
algorithms. Any explicit additional parameters to an algorithm appear as
content elements within the element. Such parameter child elements have
descriptive element names, which are frequently algorithm specific, and
SHOULD be in the same namespace as this XML Encryption specification, the XML
Signature specification, or in an algorithm specific namespace. An example of
such an explicit parameter could be a nonce (unique quantity) provided to a
key agreement algorithm.

This specification defines a set of algorithms, their URIs, and
requirements for implementation. Levels of requirement specified, such as
"REQUIRED" or "OPTIONAL", refer to implementation, not use. Furthermore, the
mechanism is extensible, and alternative algorithms may be used.

5.1.1 Table of Algorithms

The table below lists the categories of algorithms. Within each category,
a brief name, the level of implementation requirement, and an identifying URI
are given for each algorithm.

Note: Use
of AES GCM is strongly recommended over any CBC block encryption
algorithms as recent
advances in cryptanalysis [XMLENC-CBC-ATTACK][XMLENC-CBC-ATTACK-COUNTERMEASURES]
have cast doubt on the ability of CBC block encryption algorithms to
protect plain text when used with XML Encryption. Other mitigations
should be considered when using CBC block encryption, such as
conveying the encrypted data over a secure channel such as TLS. The
CBC block encryption algorithms that are listed as required remain
so for backward compatibility.

Stream Encryption

none
Syntax and recommendations are given below to support user
specified algorithms.

5.2 Block Encryption Algorithms

Block encryption algorithms are designed for encrypting and decrypting
data in fixed size, multiple octet blocks. Their identifiers appear as the
value of the Algorithm attributes of
EncryptionMethod elements that are children of
EncryptedData.

Block encryption algorithms take, as implicit arguments, the data to be
encrypted or decrypted, the keying material, and their direction of
operation. For all of these algorithms specified below, an initialization
vector (IV) is required that is encoded with the cipher text. For user
specified block encryption algorithms, the IV, if any, could be specified as
being with the cipher data, as an algorithm content element, or elsewhere.

The IV is encoded with and before the cipher text for the algorithms below
for ease of availability to the decryption code and to emphasize its
association with the cipher text. Good cryptographic practice requires that a
different IV be used for every encryption.

5.2.1 Padding

Since the data being encrypted is an arbitrary number of octets, it may
not be a multiple of the block size. This is solved by padding the plain text
up to the block size before encryption and unpadding after decryption. The
padding algorithm is to calculate the smallest non-zero number of octets, say
N, that must be suffixed to the plain text to bring it up to a
multiple of the block size. We will assume the block size is B
octets so N is in the range of 1 to B. Pad by
suffixing the plain text with N-1 arbitrary pad bytes and a
final byte whose value is N. On decryption, just take the last
byte and, after sanity checking it, strip that many bytes from the end of the
decrypted cipher text.

For example, assume an 8 byte block size and plain text of
0x616263. The padded plain text would then be
0x616263????????05 where the "??" bytes can be any value.
Similarly, plain text of 0x2122232425262728 would be padded to
0x2122232425262728??????????????08.

5.2.2 Triple DES

NIST SP800-67 [SP800-67] specifies three
sequential FIPS 46-3 [DES] operations. The XML
Encryption TRIPLEDES consists of a DES encrypt, a DES decrypt, and a DES
encrypt used in the Cipher Block Chaining (CBC) mode with 192 bits of key and
a 64 bit Initialization Vector (IV). Of the key bits, the first 64 are used
in the first DES operation, the second 64 bits in the middle DES operation,
and the third 64 bits in the last DES operation.

Note: Each of these 64 bits of key contain 56 effective bits and 8 parity
bits. Thus there are only 168 operational bits out of the 192 being
transported for a TRIPLEDES key. (Depending on the criterion used for
analysis, the effective strength of the key may be thought to be 112 bits
(due to meet in the middle attacks) or even less.)

The resulting cipher text is prefixed by the IV. If included in XML
output, it is then base64 encoded. An example TRIPLEDES EncryptionMethod is
as follows:

5.2.3 AES

[AES] is used in the Cipher Block Chaining (CBC)
mode with a 128 bit initialization vector (IV). The resulting cipher text is
prefixed by the IV. If included in XML output, it is then base64 encoded. An
example AES EncryptionMethod is as follows:

5.2.4 AES-GCM

AES-GCM [SP800-38D] is an authenticated encryption mechanism. It is
equivalent to doing these two operations in one step - AES
encryption followed by HMAC signing.

AES-GCM is very attractive from a performance point of
view because the cost of AES-GCM is similar to regular AES-CBC
encryption, yet it achieves the same result as encryption and HMAC
signing. Also AES-GCM can be pipelined so it is amenable to
hardware acceleration.

For the purposes of this specification, AES-GCM shall be used with a
96 bit Initialization Vector (IV) and a 128 bit Authentication Tag
(T). The cipher text contains the IV first, followed by the encrypted
octets and finally the Authentication tag. No padding should be used
during encryption. During decryption the implementation should compare
the authentication tag computed during decryption with the specified
Authentication Tag, and fail if they don't match. For details on the
implementation of AES-GCM, see [SP800-38D].

5.3 Stream Encryption Algorithms

Simple stream encryption algorithms generate, based on the key, a stream
of bytes which are XORed with the plain text data bytes to produce the cipher
text on encryption and with the cipher text bytes to produce plain text on
decryption. They are normally used for the encryption of data and are
specified by the value of the Algorithm attribute of the
EncryptionMethod child of an EncryptedData
element.

NOTE: It is critical that each simple stream encryption key (or key and
initialization vector (IV) if an IV is also used) be used once only. If the
same key (or key and IV) is ever used on two messages then, by XORing the two
cipher texts, you can obtain the XOR of the two plain texts. This is usually
very compromising.

No specific stream encryption algorithms are specified herein but this
section is included to provide general guidelines.

Stream algorithms typically use the optional KeySize explicit
parameter. In cases where the key size is not apparent from the algorithm URI
or key source, as in the use of key agreement methods, this parameter sets
the key size. If the size of the key to be used is apparent and disagrees
with the KeySize parameter, an error MUST be returned.
Implementation of any stream algorithms is optional. The schema for the
KeySize parameter is as follows:

5.4 Key Derivation

Key derivation is a well-established mechanism for generating new
cryptographic key material from some existing, original ("master")
key material and potentially other information. Derived keys are
used for a variety of purposes including data encryption and message
authentication. The reason for doing key derivation itself is
typically a combination of a desire to expand a given, but limited,
set of original key material and prudent security practices of
limiting use (exposure) of such key material. Key separation (such as
avoiding use of the same key material for multiple purposes) is an
example of such practices.

The key derivation process may be based on passphrases agreed upon
or remembered by users, or it can be based on some shared "master"
cryptographic keys (and be intended to reduce exposure of such master
keys), etc. Derived keys themselves may be used in XML Signature and
XML Encryption as any other keys; in particular, they may be used to
compute message authentication codes (e.g. digital signatures using
symmetric keys) or for encryption/decryption purposes.

5.4.1 ConcatKDF

The ConcatKDF key derivation algorithm, defined in Section 5.8.1 of NIST
SP 800-56A [SP800-56A] (and equivalent to
the KDF3 function defined in ANSI X9.44-2007 [ANSI-X9-44-2007] when
the contents of the
OtherInfo parameter is structured as in NIST SP 800-56A),
takes several parameters. These parameters are represented in the
xenc11:ConcatKDFParamsType:

SchemaDefinition:

<!-- targetNamespace=&#x27;http://www.w3.org/2009/xmlenc11#&#x27; --><!-- use this element type as a child of xenc11:KeyDerivationMethod
when used with ConcatKDF --><elementname="ConcatKDFParams"type="xenc11:ConcatKDFParamsType"/><complexTypename="ConcatKDFParamsType"><sequence><elementref="ds:DigestMethod"/></sequence><attributename="AlgorithmID"type="hexBinary"/><attributename="PartyUInfo"type="hexBinary"/><attributename="PartyVInfo"type="hexBinary"/><attributename="SuppPubInfo"type="hexBinary"/><attributename="SuppPrivInfo"type="hexBinary"/></complexType>

The ds:DigestMethod element identifies the digest
algorithm used by the KDF. Compliant implementations MUST support
SHA-256 and SHA-1 (support for SHA-1 is present only for
backwards-compatibility reasons). Support for SHA-384 and SHA-512 is
OPTIONAL.

The AlgorithmID, PartyUInfo,
PartyVInfo, SuppPubInfo and
SuppPrivInfo attributes are as defined in
[SP800-56A]. Their
presence is optional but AlgorithmID,
PartyVInfo and PartyUInfoMUST be present
for applications that need to comply with [SP800-56A].
Note: The PartyUInfo component shall include a nonce when
ConcatKDF is
used in conjunction with a static-static Diffie-Hellman (or
static-static ECDH) key agreement scheme; see further [SP800-56A].

In [SP800-56A], AlgorithmID, PartyUInfo, PartyVInfo, SuppPubInfo
and
SuppPrivInfo attributes are all defined as
arbitrary-length bitstrings, thus they may need to be padded in order
to be encoded into hexBinary for XML Encryption. The following
padding and encoding method MUST be used when encoding bitstring
values for the AlgorithmID, PartyUInfo,
PartyVInfo, SuppPubInfo and
SuppPrivInfo:

The bitstring is divided into octets using big-endian encoding. If
the length of the bitstring is not a multiple of 8 then add padding
bits (value 0) as necessary to the last octet to make it a multiple of
8.

Prepend one octet to the octets string from step 1. This octet shall
identify (in a big-endian representation) the number of padding bits
added to the last octet in step 1.

Encode the octet string resulting from step 2 as a hexBinary string.

Example: the bitstring 11011, which is 5 bits long, gets
3 additional padding bits to become the
bitstring 11011000 (or D8 in hex). This
bitstring is then prepended with one octet identifying the number of
padding bits to become the octet string (in hex) 03D8, which then
finally is encoded as a hexBinary string value of "03D8".

Note that as specified in [SP800-56A],
these attributes shall be concatenated to form a bit string
“OtherInfo” that is used with the key derivation function. The
concatenation SHALL be done using the original, unpadded bit string
values.” Applications MUST also verify that these attributes, in an
application-specific way not defined in this document, identify
algorithms and parties in accordance with NIST SP800-56.

An example of an xenc11:DerivedKey element with this key
derivation algorithm given below. In this example, the bitstring
value of AlgorithmID is 00000000, the
bitstring value of PartyUInfo is 11011 and
the bitstring value of PartyVInfo is 11010:

Example 25

<xenc11:DerivedKeyxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:ds="http://www.w3.org/2000/09/xmldsig#"xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"><xenc11:KeyDerivationMethodAlgorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF"><xenc11:ConcatKDFParamsAlgorithmID="0000"PartyUInfo="03D8"PartyVInfo="03D0"><ds:DigestMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#sha256"/></xenc11:ConcatKDFParams></xenc11:KeyDerivationMethod><xenc:ReferenceList><xenc:DataReferenceURI="#ED"/></xenc:ReferenceList><xenc11:MasterKeyName>Our other secret</xenc11:MasterKeyName></xenc11:DerivedKey>

Note

While any bit string can be used with ConcatKDF, it is RECOMMENDED to keep byte
aligned for greatest interoperability.

5.4.2 PBKDF2

The PBKDF2 key derivation algorithm and the ASN.1 type definitions for
its parameters are defined in PKCS #5 v2.0 [PKCS5]. The XML schema
definitions for the parameters is defined in [PKCS5Amd1] and the same
can be specified by enclosing them within an xenc11:PBKDF2-params child
element of the xenc11:KeyDerivationMethod element.

(Note: A newline has been added to the Algorithm attribute to fit on this page, but is not part of the URI.)

The PBKDF2-params element and its child elements have the
same names
and meaning as the corresponding components of
the PBKDF2-params ASN.1
type in [PKCS5]. Note, in case of ConcatKDF and the Diffie Hellman
legacy KDF, KeyLength is an implied parameter and needs to be
inferred from the context, but in the case of PBKDF2
the KeyLength child
element has to be specified, as it has been made a mandatory parameter
to be consistent with PKCS5. For PBKDF2, the inferred key length must
match the specified key length, otherwise it is an error condition.

The AlgorithmIdentifierType corresponds to
the AlgorithmIdentifier type of [PKCS5] and carries the
algorithm identifier in the Algorithm attribute. Algorithm
specific parameters, where applicable, can be specified using
the Parameters element.

The PRFAlgorithmIdentifierType is derived from the
AlgorithmIdentifierType and constrains the choice of
algorithms to those contained in the PBKDF2-PRFs set defined in
[PKCS5]. This type is used to specify a pseudorandom function (PRF)
for PBKDF2. Whereas HMAC-SHA1 is the default PRF algorithm in [PKCS5],
use of HMAC-SHA256 is RECOMMENDED by this specification (see [XMLDSIG-CORE1],
[HMAC]).

An example of an xenc11:DerivedKey element with this key
derivation algorithm is:

5.5 Key Transport

Key Transport algorithms are public key encryption algorithms especially
specified for encrypting and decrypting keys. Their identifiers appear as
Algorithm attributes to EncryptionMethod elements
that are children of EncryptedKey. EncryptedKey is
in turn the child of a ds:KeyInfo element. The type of key being
transported, that is to say the algorithm in which it is planned to use the
transported key, is given by the Algorithm attribute of the
EncryptionMethod child of the EncryptedData or
EncryptedKey parent of this ds:KeyInfo element.

(Key Transport algorithms may optionally be used to encrypt data in which
case they appear directly as the Algorithm attribute of an
EncryptionMethod child of an EncryptedData element.
Because they use public key algorithms directly, Key Transport algorithms are
not efficient for the transport of any amounts of data significantly larger
than symmetric keys.)

The CipherValue for such an encrypted key is the base64 [RFC2045] encoding of the octet string computed as per RFC
3447 [PKCS1], section 7.2.1: Encryption operation].
As specified in the EME-PKCS1-v1_5 function RFC 3447 [PKCS1],
section 7.2.1, the value input to the key
transport function is as follows:

Example 28

CRYPT ( PAD ( KEY ))

where the padding is of the following special form:

Example 29

02| PS*|00| key

where "|" is concatenation, "02" and "00" are fixed octets of the
corresponding hexadecimal value, PS is a string of strong pseudo-random
octets [RANDOM] at least eight octets long,
containing no zero octets, and long enough that the value of the quantity
being CRYPTed is one octet shorter than the RSA modulus, and "key" is the key
being transported. The key is 192 bits for TRIPLEDES and 128, 192, or 256
bits for AES.

Implementations MUST support this key transport algorithm for transporting 192-bit TRIPLEDES keys. Support of this algorithm for
transporting other keys is OPTIONAL. RSA-OAEP is RECOMMENDED for the
transport of AES keys.

The resulting base64 [RFC2045] string is the value of
the child text node of the CipherData element, e.g.

5.5.2 RSA-OAEP

The RSAES-OAEP-ENCRYPT algorithm, as specified in RFC 3447 [PKCS1],
has options that define the message digest function and mask
generation function, as well as an optional PSourceAlgorithm
parameter. Default values defined in RFC 3447 are SHA1
for the message
digest and MGF1 with SHA1 for the mask generation
function. Both the
message digest and mask generation functions are used in the
EME-OAEP-ENCODE operation as part of RSAES- OAEP-ENCRYPT.

The http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p identifier defines
the mask generation function as the fixed value of MGF1 with
SHA1. In
this case the optional xenc11:MGF element of the
xenc:EncryptionMethod element MUST NOT be provided.

The http://www.w3.org/2009/xmlenc11#rsa-oaep identifier defines the
mask generation function using the optional xenc11:MGF
element of the xenc:EncryptionMethod element. If not present, the
default of MGF1 with SHA1 is to be used.

The following URIs define the various mask generation function URI
values that may be used. These correspond to the object identifiers
defined in RFC 4055 [RFC4055]:

MGF1 with SHA1: http://www.w3.org/2009/xmlenc11#mgf1sha1

MGF1 with SHA224: http://www.w3.org/2009/xmlenc11#mgf1sha224

MGF1 with SHA256: http://www.w3.org/2009/xmlenc11#mgf1sha256

MGF1 with SHA384: http://www.w3.org/2009/xmlenc11#mgf1sha384

MGF1 with SHA512: http://www.w3.org/2009/xmlenc11#mgf1sha512

Otherwise the two identifiers define the same usage of the RSA-OAEP
algorithm, as follows.

The message digest function SHOULD be specified using the Algorithm
attribute of the ds:DigestMethod child element
of the xenc:EncryptionMethod element. If it is not specified, the
default value of SHA1 is to be used.

The optional RSA-OAEP PSourceAlgorithm parameter value MAY be
explicitly provided by placing the base64 encoded octets in the
xenc:OAEPparams XML element.

The XML Encryption 1.0 schema definition and description for
the EncryptionMethod element is in
section 3.2 The EncryptionMethod Element. The following
shows the XML Encryption 1.1 addition for the MGF type:

The CipherValue for an RSA-OAEP encrypted key is the base64
[RFC2045] encoding of the octet string computed as per
RFC 3447 [PKCS1], section 7.1.1: Encryption
operation. As described in the EME-OAEP-ENCODE function RFC 3447
[PKCS1], section 7.1.1, the value input to the key
transport function is calculated using the message digest function and string
specified in the DigestMethod and OAEPparams
elements and using either the mask generator function specified with
the xenc11:MGF element or the default MGF1 with
SHA1 specified in
RFC 3447. The desired output length for EME-OAEP-ENCODE is one byte shorter
than the RSA modulus.

The transported key size is 192 bits for TRIPLEDES and 128, 192, or 256
bits for AES. Implementations MUST implement RSA-OAEP for the transport of
all key types and sizes that are mandatory to implement for symmetric
encryption. They MAY implement RSA-OAEP for the transport of other
keys.

5.6 Key Agreement

A Key Agreement algorithm provides for the derivation of a shared secret
key based on a shared secret computed from certain types of compatible public
keys from both the sender and the recipient. Information from the originator
to determine the secret is indicated by an optional
OriginatorKeyInfo parameter child of an
AgreementMethod element while that associated with the recipient
is indicated by an optional RecipientKeyInfo. A shared key is
derived from this shared secret by a method determined by the Key Agreement
algorithm.

Note: XML Encryption does not provide an online key agreement negotiation
protocol. The AgreementMethod element can be used by the
originator to identify the keys and computational procedure that were used to
obtain a shared encryption key. The method used to obtain or select the keys
or algorithm used for the agreement computation is beyond the scope of this
specification.

The AgreementMethod element appears as the content of a
ds:KeyInfo since, like other ds:KeyInfo children,
it yields a key. This ds:KeyInfo is in turn a child of an
EncryptedData or EncryptedKey element. The
Algorithm attribute and KeySize child of the
EncryptionMethod element under this EncryptedData
or EncryptedKey element are implicit parameters to the key
agreement computation. In cases where this EncryptionMethod
algorithm URI is insufficient to determine the key length, a
KeySizeMUST have been included.

Key derivation algorithms (with associated parameters) may be
explicitly declared by using the
xenc11:KeyDerivationMethod element. This element will
then be placed at the extensibility point of the
xenc:AgreementMethodType (see below).

In addition, the sender may place a KA-Nonce element under
AgreementMethod to assure that different keying material
is generated even for repeated agreements using the same sender and
recipient public keys. For example:

5.6.1 Diffie-Hellman Key
Values

Diffie-Hellman keys can appear directly within KeyValue
elements or be obtained by ds:RetrievalMethod fetches as well as
appearing in certificates and the like. The above identifier can be used as
the value of the Type attribute of Reference or
ds:RetrievalMethod elements.

As specified in [ESDH], a DH public key consists
of up to six quantities, two large primes p and q, a "generator" g, the
public key, and validation parameters "seed" and "pgenCounter". These relate
as follows: The public key = ( g**x mod p ) where x is the corresponding
private key; p = j*q + 1 where j >= 2. "seed" and "pgenCounter" are
optional and can be used to determine if the Diffie-Hellman key has been
generated in conformance with the algorithm specified in [ESDH]. Because the primes and generator can be safely
shared over many DH keys, they may be known from the application environment
and are optional. The schema for a DHKeyValue is as follows:

5.6.2 Diffie-Hellman
Key Agreement

The Diffie-Hellman (DH) key agreement protocol [ESDH] involves the derivation of shared secret
information based on compatible DH keys from the sender and recipient. Two DH
public keys are compatible if they have the same prime and generator. If, for
the second one, Y = g**y mod p, then the two parties can
calculate the shared secret ZZ = ( g**(x*y) mod p ) even though
each knows only their own private key and the other party's public key.
Leading zero bytes MUST be maintained in ZZ so it will be the
same length, in bytes, as p. The size of pMUST be
at least 512 bits and g at least 160 bits. There are numerous
other complex security considerations in the selection of g,
p, and a random x as described in [ESDH].

The Diffie-Hellman shared secret zz is used as the input to a KDF to produce a
secret key. XML Signature 1.0 defined a
specific KDF to be used with Diffie-Hellman; that KDF is now known as the "Legacy KDF" and is defined in Section 5.6.2.2.
Use of Diffie-Hellman with explicit KDFs is described in Section 5.6.2.1.

Implementation of Diffie-Hellman key agreement is OPTIONAL. However, if implemented,
such implementations MUST support the Legacy Key Derivation Function
and SHOULD support Diffie-Hellman with explicit Key Derivation Functions

An example of a DH
AgreementMethod element using the Legacy Key Derivation Function
(Section 5.6.2.2) is as follows:

It is RECOMMENDED that the shared key material for a Diffie-Hellman key agreement be calculated from the Diffie-Hellman shared secret
using a key derivation function (KDF) in accordance with Section 5.4.

An example of a DH AgreementMethod element using an
explicit key derivation function is as follows:

XML Signature 1.0 defined a specific KDF for use with Diffie-Hellman key agreement. In order to guarantee interoperability,
implementations that choose to implement Diffie-Hellman MUST support the use of the Diffie-Hellman Legacy KDF defined in this section.

Assume that the Diffie-Hellman shared secret is the octet sequence
ZZ. The Diffie-Hellman Legacy KDF calculates the shared keying material as follows:

Example 37

KeyingMaterial= KM(1)| KM(2)|...

where "|" is byte stream concatenation and

Example 38

KM(counter)=DigestAlg( ZZ | counter |EncryptionAlg|
KA-Nonce|KeySize)

DigestAlg

The message digest algorithm specified by the
DigestMethod child of AgreementMethod.

EncryptionAlg

The URI of the encryption algorithm, including possible key wrap
algorithms, in which the derived keying material is to be used
("Example:Block/Alg" in the example above), not the URI of the
agreement algorithm. This is the value of the Algorithm
attribute of the EncryptionMethod child of the
EncryptedData or EncryptedKey grandparent of
AgreementMethod.

KA-Nonce

The base64 decoding the content of the KA-Nonce child of
AgreementMethod, if present. If the KA-Nonce
element is absent, it is null.

Counter

A one byte counter starting at one and incrementing by one. It is
expressed as two hex digits where letters A through F are in upper
case.

KeySize

The size in bits of the key to be derived from the shared secret as
the UTF-8 string for the corresponding decimal integer with only digits
in the string and no leading zeros. For some algorithms the key size is
inherent in the URI. For others, such as most stream ciphers, it must
be explicitly provided.

For example, the initial (KM(1)) calculation for the
EncryptionMethod of the Key
Agreement example (section 5.5) would be as follows, where the binary one
byte counter value of 1 is represented by the two character UTF-8 sequence
01, ZZ is the shared secret, and "foo"
is the base64 decoding of "Zm9v".

Example 39

SHA-1( ZZ01Example:Block/Algfoo80)

Assuming that ZZ is 0xDEADBEEF, that would be

Example 40

SHA-1(0xDEADBEEF30314578616D706C653A426C6F636B2F416C67666F6F3830)

whose value is

Example 41

0x534C9B8C4ABDCB50038B42015A181711068B08C1

Each application of DigestAlg for successive values of
Counter will produce some additional number of bytes of keying
material. From the concatenated string of one or more KM's,
enough leading bytes are taken to meet the need for an actual key and the
remainder discarded. For example, if DigestAlg is SHA-1 which
produces 20 octets of hash, then for 128 bit AES the first 16 bytes from
KM(1) would be taken and the remaining 4 bytes discarded. For
256 bit AES, all of KM(1) suffixed with the first 12 bytes of
KM(2) would be taken and the remaining 8 bytes of KM(2)
discarded.

5.6.3 Elliptic Curve Diffie-Hellman (ECDH) Key
Values

ECDH has identical public key parameters as ECDSA and can be represented
with the ECKeyValue element [XMLDSIG-CORE1].
Note that if the curve parameters are explicitly stated using the ECParameters
element, then the Cofactor element MUST be included.

As with Diffie-Hellman keys, Elliptic Curve Key Values can appear directly
within KeyValue elements or be obtained by
ds:RetrievalMethod fetches as well as appearing in certificates
and the like. The above identifier can be used as the value of the
Type attribute of Reference or
ds:RetrievalMethod elements.

ECDH is the elliptic curve analogue to the Diffie-Hellman key agreement
algorithm. Details of the ECDH primitive can be found in
[ECC-ALGS]. When ECDH is used in
Ephemeral-Static (ES) mode, the recipient has a static key pair, but the sender
generates a ephemeral key pair for each message. The same ephemeral key may be
used when there are multiple recipients that use the same curve parameters.

Compliant implementations are REQUIRED to support ECDH-ES key agreement
using the P-256 prime curve specified in Section D.2.3 of FIPS 186-3
[FIPS-186-3]. (This is the same curve that
is REQUIRED in XML Signature 1.1 to be supported for the ECDSAwithSHA256
algorithm.) It is further RECOMMENDED that implementations also support
the P-384 and P-521 prime curves for ECDH-ES; these curves are defined
in Sections D.2.4 and D.2.5 of FIPS 186-3, respectively.

The shared key material is calculated from the Diffie-Hellman shared secret
using a key derivation function (KDF). While applications may define other
KDFs, compliant implementations MUST implement ConcatKDF (see section 5.4.1 ConcatKDF).
An example of xenc:EncryptedData using the ECDH-ES key
agreement algorithm with the ConcatKDF key derivation algorithm is as
follows:

5.7 Symmetric Key Wrap

Symmetric Key Wrap algorithms are shared secret key encryption
algorithms especially specified for encrypting and decrypting
symmetric keys. When wrapped keys are used, then an EncryptedKey
element will appear as a child of a ds:KeyInfo element. This
EncryptedKey element will have
an EncryptionMethod child whose
Algorithm attribute in turn identifies the key wrap algorithm.

The algorithm for which the encrypted key is intended depends on the
context of the ds:KeyInfo
element: ds:KeyInfo can occur as a child
of either an EncryptedData or EncryptedKey
element; in both cases,
ds:KeyInfo will have an EncryptionMethod sibling that
identifies the
algorithm.

5.7.2 AES KeyWrap

Implementation of AES key wrap is described in [AES-WRAP].
It provides for confidentiality and integrity. This algorithm is defined only
for inputs which are a multiple of 64 bits. The information wrapped need not
actually be a key. The algorithm is the same whatever the size of the AES key
used in wrapping, called the key encrypting key or KEK. The
implementation requirements are indicated below.

5.8 Message Digest

Message digest algorithms can be used in
AgreementMethod as part of the key derivation, within
RSA-OAEP encryption as a hash function, and in connection with the
HMAC message authentication code method [HMAC]
as described in [XMLDSIG-CORE1].) Use of SHA-256 is strongly
recommended over SHA-1 because recent advances in cryptanalysis (see
e.g. [SHA-1-Analysis], [SHA-1-Collisions] )
have cast doubt on the long-term collision resistance of SHA-1.
Therefore, SHA-1 support is REQUIRED in this specification only for
backwards-compatibility reasons.

5.8.1 SHA1

The SHA-1 algorithm [FIPS-180-3] takes no explicit
parameters. An example of an SHA-1 DigestMethod element is:

Example 45

<DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

A SHA-1 digest is a 160-bit string. The content of the
DigestValue element shall be the base64 encoding of this bit
string viewed as a 20-octet octet stream. For example, the
DigestValue element for the message digest:

Canonical XML [XML-C14N11] is a method of
serializing XML which includes the in scope namespace and xml namespace
attribute context from ancestors of the XML being serialized.

If XML is to be encrypted and then later decrypted into a different
environment and it is desired to preserve namespace prefix bindings and the
value of attributes in the "xml" namespace of its original environment, then
the canonical XML with comments version of the XML should be the
serialization that is encrypted.

5.9.2 Exclusive
Canonicalization

Exclusive XML Canonicalization [XML-EXC-C14N]
serializes XML in such a way as to include to the minimum extent practical
the namespace prefix binding and xml namespace attribute context inherited
from ancestor elements.

It is the recommended method where the outer context of a fragment which
was signed and then encrypted may be changed. Otherwise the validation of the
signature over the fragment may fail because the canonicalization by
signature validation may include unnecessary namespaces into the fragment.

6. Security Considerations

6.1 Chosen-Ciphertext Attacks

A number of chosen-ciphertext attacks against implementations of this
specification have been published and demonstrated. They all
involve the following elements:

The attacker knows about the format of the
cleartext.

The attacker is able to submit substantial numbers of ciphertext messages.

The attacker is able to send arbitrary ciphertext, based on previous results.

The attacker is able to force the server to use the same key
(secret key by CBC-based attacks and server's private key by PKCS#1.5
attacks) for processing of the adapted ciphertext.

The server attempting to decrypt the ciphertext in some way
signals whether the decrypted text is well-formed or
not.

The attacker uses the knowledge of the format and the information
about well-formedness to construct a series of ciphertext
guesses which reveal the plaintext with much less work than
brute force. Attacks of this type have been demonstrated against
symmetric encryption using CBC mode [XMLENC-CBC-ATTACK][XMLENC-CBC-ATTACK-COUNTERMEASURES] and on
PKCS#1 v1.5. Other future attacks can be expected whenever
these conditions are met.

6.1.1 Attacks against the encrypted data (<EncryptedData> part)

Using the CBC-based chosen-ciphertext attacks, the attacker sends to the
server an XML document with modified encrypted data in the symmetric
part (<EncryptedData>). After a few requests, the
attacker is able to get the whole
cleartext without knowledge of the symmetric key.

It would seem that these attacks can be countered by by disrupting any
of the conditions, however in practice only preventing condition
3 (sending arbitrary ciphertext) is fully effective. To counter condition 3, it is necessary
for the decrypting system to require authenticated integrity
protection over the ciphertext. However, unless the mechanism
used is bound to the encryption key, there will no way to be sure
that the signer is not attempting to recover the plaintext. The
simplest and most efficient way to do this is to use an
authenticating block mode, such as GCM. An alternative would be
an HMAC based on the encryption key over the ciphertext, but it
is less efficient and provides no advantages.

Other countermeasures are not likely to be effective. Limiting the
number of messages presented or the number of messages using the
same key is not practical in large server farms. Attackers can
spread their attempts over different servers and long or short
periods of time, to foil attempts to detect attacks in progress
or determine the location of the attacker.

Signaling well-formedness can occur by emitting different messages for
distinct security errors or by exhibiting timing
differences. Implementations should avoid these practices,
however that is not sufficient to prevent such attacks in an XML
protocol environment, such as SOAP. Using a technique called
encryption wrapping, the attacker can insert the ciphertext in
some schema-legal part of the message. If the decryption code
notices a format error, an error will be returned, but if not
the message will be passed to the application which will ignore
the bogus plaintext and ultimately respond with an application
level success or failure message.

6.1.2 Attacks against the encrypted key (Bleichenbacher's Million
question attack on PKCS#1.5)

The goal of the attacker applying the Bleichenbacher's attack is to get
the symmetric secret key, which is encrypted in the <EncryptedKey> part.
Afterward, he would be able to decrypt the whole data carried in the
<EncryptedData> part.

The basic idea of this attack is to modify the data in the
<EncryptedKey> part, send the document to the server, and observe if the
modified ciphertext contains PKCS#1.5 conformant data. This can be
done by:

Observing fault messages of the server notifying directly that
the request was not PKCS#1.5 conformant (this should not happen).

Enlarging the data in the <EncryptedData> part and observing the
timing differences between inclusion of PKCS-valid and PKCS-invalid
keys: if the key is PKCS-valid, the session key is extracted, and the
large data is decrypted. Otherwise, the session key cannot be extracted
and the large data is not processed, which yields a timing difference.

Making specific modifications of the <EncryptedData> part based on CBC
and padding-properties.

The most effective countermeasure against the timing attack (2) is to
generate a random secret key every time when the decrypted data was not
PKCS#1-conformant. This way, the attacker would not get any timing
side-channel.

Please note however that this is not a valid countermeasure against the
specific modification of the <EncryptedData>
described in part (3). The attacker
could still use a few millions of requests to decrypt the encrypted
symmetric key. Therefore, we recommend the usage of RSA-OAEP.
RSA-OAEP also has a risk of a chosen ciphertext attack [OAEP-ATTACK] which
can be mitigated in security library implementations.

6.1.3 Backwards Compatibility Attacks

Use of state-of-the-art and secure encryption algorithms
such as RSA-OAEP and AES-GCM can become insecure when the
adversary can force the server to process eavesdropped
ciphertext with legacy algorithms such as RSA-PKCS#1 v1.5 or
AES-CBC [XMLENC-BACKWARDS-COMP]:

The attacker may be able to break the security of an AES-GCM ciphertext if he
is able to force the server to process the ciphertext with AES-CBC
and the same symmetric key.

The attacker may be able to decrypt an RSA-OAEP ciphertext if he is able to
force the server to process the ciphertext with RSA-PKCS#1 v1.5 and
the same asymmetric key.

The attacker may be able to forge valid server signatures if the server
decrypts RSA-PKCS#1 v1.5 ciphertexts and the signatures are computed
with the same asymmetric key pair.

Accordingly, in situations where an attacker may be able
to mount chosen-ciphertext attacks, we recommend the following to implementers:

Implementations SHOULD always use a different public key pair for data
confidentiality and for data integrity functionality.

Implementations using symmetric keys SHOULD NOT use the same key
material for different algorithms, even if serving the same
purpose. Key derivation based on a single key and the
algorithm identifier can be used to accomplish this, for
example.

Implementations that plan to use the same symmetric key for both confidentiality and
integrity functions SHOULD use it as the basis for a key
derivation producing different keys for those functions.

Implementations SHOULD restrict algorithm usage to algorithms known to be secure in the
face of chosen-ciphertext attacks (RSA-OAEP, AES-GCM).
In that case, documents containing RSA-PKCS#1 v1.5
[XMLENC-PKCS15-ATTACK]
and AES-CBC [XMLENC-CBC-ATTACK]
ciphertexts SHOULD be rejected without decryption.

6.2 Relationship to XML Digital Signatures

The application of both encryption and digital signatures over portions of
an XML document can make subsequent decryption and signature verification
difficult. In particular, when verifying a signature one must know whether
the signature was computed over the encrypted or unencrypted form of
elements.

A separate, but important, issue is introducing cryptographic
vulnerabilities when combining digital signatures and encryption over a
common XML element. Hal Finney has suggested that encrypting digitally signed
data, while leaving the digital signature in the clear, may allow plaintext
guessing attacks. This vulnerability can be mitigated by using secure hashes
and the nonces in the text being processed.

In accordance with the requirements document [XML-ENCRYPTION-REQ] the interaction of encryption and signing is
an application issue and out of scope of the specification. However, we make
the following recommendations:

When data is encrypted, any digest or signature over that data should
be encrypted. This satisfies the first issue in that only those
signatures that can be seen can be validated. It also addresses the
possibility of a plaintext guessing vulnerability, though it may not be
possible to identify (or even know of) all the signatures over a given
piece of data.

Employ the "decrypt-except" signature transform [XMLENC-DECRYPT]. It works as follows:
during signature transform processing, if you encounter a decrypt
transform, decrypt all encrypted content in the document except for those
excepted by an enumerated set of references.

Additionally, while the following warnings pertain to incorrect inferences
by the user about the authenticity of information encrypted, applications
should discourage user misapprehension by communicating clearly which
information has integrity, or is authenticated, confidential, or
non-repudiable when multiple processes (e.g., signature and encryption) and
algorithms (e.g., symmetric and asymmetric) are used:

When an encrypted envelope contains a signature, the
signature does not
necessarily protect the authenticity or integrity of the
ciphertext [Davis].

While the signature secures plaintext it only covers that which is
signed, recipients of encrypted messages must not infer integrity or
authenticity of other unsigned information (e.g., headers) within the
encrypted envelope, see [XMLDSIG-CORE1], section 8.1.1 Only What is
Signed is Secure].

6.3 Information Revealed

Where a symmetric key is shared amongst multiple recipients, that
symmetric key should only be used for the data intended for
all recipients; even if one recipient is not directed to information
intended (exclusively) for another in the same symmetric key, the information
might be discovered and decrypted.

Additionally, application designers should be careful not to reveal any
information in parameters or algorithm identifiers (e.g., information in a
URI) that weakens the encryption.

6.4 Nonce and IV (Initialization Value or Vector)

An undesirable characteristic of many encryption algorithms and/or their
modes is that the same plaintext when encrypted with the same key has the
same resulting ciphertext. While this is unsurprising, it invites various
attacks which are mitigated by including an arbitrary and non-repeating
(under a given key) data with the plaintext prior to encryption. In
encryption chaining modes this data is the first to be encrypted and is
consequently called the IV (initialization value or vector).

Different algorithms and modes have further requirements on the
characteristic of this information (e.g., randomness and secrecy) that affect
the features (e.g., confidentiality and integrity) and their resistance to
attack.

Given that XML data is redundant (e.g., Unicode encodings and repeated
tags ) and that attackers may know the data's structure (e.g., DTDs and
schemas) encryption algorithms must be carefully implemented and used in this
regard.

For the Cipher Block Chaining (CBC) mode used by this specification, the
IV must not be reused for any key and should be random, but it need not be
secret. Additionally, under this mode an adversary modifying the IV can make
a known change in the plain text after decryption. This attack can be avoided
by securing the integrity of the plain text data, for example by signing
it.

Note: CBC block encryption algorithms should not be used
without consideration of possibly severe security risks.

For the Galois/Counter Mode (GCM) used by this specification, the IV
must not be reused for any key and should be random, but it need
not be secret.

6.5 Denial of Service

This specification permits recursive processing. For example, the
following scenario is possible: EncryptedKeyA
requires EncryptedKeyB to be decrypted, which
itself requires EncryptedKeyA! Or, an attacker
might submit an EncryptedData for decryption that references
network resources that are very large or continually redirected.
Consequently, implementations should be able to restrict arbitrary recursion
and the total amount of processing and networking resources a request can
consume.

6.6 Unsafe Content

XML Encryption can be used to obscure, via encryption, content
that applications (e.g., firewalls, virus detectors, etc.) consider unsafe
(e.g., executable code, viruses, etc.). Consequently, such applications must
consider encrypted content to be as unsafe as the unsafest content
transported in its application context. Consequently, such applications may
choose to (1) disallow such content, (2) require access to the decrypted form
for inspection, or (3) ensure that arbitrary content can be safely processed
by receiving applications.

6.7 Error Messages

Implementations SHOULD NOT provide detailed error responses related to
security algorithm processing. Error messages should be limited to a
generic error message to avoid providing information to a potential
attacker related to the specifics of the algorithm implementation. For
example, if an error occurs in decryption processing the error
response should be a generic message providing no
specifics on the details of the processing error.

6.8 Timing Attacks

It has been known for some time that it is feasible for an attacker to
recover keys or cleartext by repeatedly sending chosen ciphertext and
measuring the time required to process different requests with
different types of errors. It has been demonstrated that attacks of
this type are practical even when communicating over large and busy
networks, especially if the receiver is willing to process large
numbers of ciphertext blocks.

Implementers SHOULD ensure that distinct errors detected during
security algorithm processing do not consume systematically different
amounts of processing time from each other. Implementers SHOULD
consult the technical literature for more details on specific attacks
and recommended countermeasures.

Deployments SHOULD treat as suspect inputs when a large number of security
algorithm processing errors are detected within a short period of
time, especially in messages from the same origin.

6.9 CBC Block Encryption Vulnerability

7. Conformance

An implementation is conformant to this specification if it successfully
generates syntax according to the schema definitions and satisfies all
MUST/REQUIRED/SHALL requirements, including algorithm support and processing. Processing requirements are specified
over the roles of decryptor,encryptor, and their calling application.

8. XML Encryption Media Type

8.1 Introduction

XML Encryption Syntax and Processing (XMLENC-CORE1, this document)
specifies a process for encrypting
data and representing the result in XML. The data may be arbitrary data
(including an XML document), an XML element, or XML element content. The
result of encrypting data is an XML Encryption element which contains or
references the cipher data.

The application/xenc+xml media type allows XML Encryption
applications to identify encrypted documents. Additionally it allows
applications cognizant of this media-type (even if they are not XML
Encryption implementations) to note that the media type of the decrypted
(original) object might be a type other than XML.

8.2 application/xenc+xml Registration

This is a media type registration as defined in Multipurpose Internet Mail
Extensions (MIME) Part Four: Registration Procedures [MIME-REG]

Type name: application

Subtype name: xenc+xml

Required parameters: none

Optional parameters: charset

The allowable and recommended values for, and interpretation of the
charset parameter are identical to those given for 'application/xml' in
section 3.2 of RFC 3023 [XML-MT].

Encoding considerations:

The encoding considerations are identical to those given for
'application/xml' in section 3.2 of RFC 3023 [XML-MT].

XML Encryption is device-, platform-, and vendor-neutral and is supported
by a range of Web applications.

Additional Information:

Magic number(s): none

Although no byte sequences can be counted on to consistently identify XML
Encryption documents, there will be XML documents in which the root
element's QName's LocalPart is
'EncryptedData' or 'EncryptedKey' with an
associated namespace name of 'http://www.w3.org/2001/04/xmlenc#'.
The application/xenc+xml type name MUST only be used for
data objects in which the root element is from the XML Encryption
namespace. XML documents which contain these element types in places
other than the root element can be described using facilities such as [XMLSCHEMA-1], [XMLSCHEMA-2].

File extension(s): .xml

Macintosh File Type Code(s): "TEXT"

Person & email address to contact for further information:

World Wide Web Consortium <web-human at w3.org>

Intended usage: COMMON

Author/Change controller:

The XML Encryption specification is a work product of the World Wide Web
Consortium (W3C) which has change control over the specification.

A.1 AES KeyWrap with Padding

These identifiers are reserved for symmetric key wrapping
using the AES key wrap with padding
algorithm with a 128, 192, and 256 bit AES key encrypting
key, respectively. Implementation of
AES key wrap with padding is defined in [AES-WRAP-PAD].
The algorithm is defined for inputs
between 9 and 2^32 octets. Unlike the unpadded AES Key
Wrap algorithm, the input length is not
constrained to multiples of 64 bits (8 octets).

Note that the wrapped key will be distinct from the one
generated by the unpadded AES Key Wrap
algorithm, even if the input length is a multiple of 64 bits.

B. References

Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.